From a3301e9a8c9a5ab05a9a44f040e67cf136910517 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 16:00:54 +0900 Subject: [PATCH 1/7] ci: use OIDC for NuGet package push authentication This updates the build-release workflow to leverage OpenID Connect (OIDC) for authenticating with NuGet.org. The package push operation is now performed directly within the build job, replacing static API key usage with ephemeral credentials for enhanced security. --- .github/workflows/build-release.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index cb7b8fd..b3eda92 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -74,6 +74,16 @@ jobs: name: MessagePipe.Analyzer path: ./src/MessagePipe.Analyzer/bin/Release/netstandard2.0/MessagePipe.Analyzer.dll retention-days: 1 + # push nuget + - name: NuGet login (OIDC) + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - run: dotnet nuget push "./publish/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] @@ -137,7 +147,7 @@ jobs: commit-id: ${{ needs.update-packagejson.outputs.sha }} dry-run: ${{ inputs.dry-run }} tag: ${{ inputs.tag }} - nuget-push: true + nuget-push: false release-upload: true release-asset-path: | ./MessagePipe.Analyzer/MessagePipe.Analyzer.dll From 96176c80261f983ada6a61bff4011c2b76f388ce Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 16:44:58 +0900 Subject: [PATCH 2/7] ci: id-token permission --- .github/workflows/build-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index b3eda92..ae64d91 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -31,6 +31,7 @@ jobs: needs: [update-packagejson] permissions: contents: read + id-token: write # required for NuGet Trusted Publish runs-on: ubuntu-24.04 timeout-minutes: 10 services: From da67ab4d82bc0c388bdbcb53ecc9ebd062fd70d5 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 17:52:01 +0900 Subject: [PATCH 3/7] ci: handle SymbolPackageFormat on build --- .github/workflows/build-debug.yaml | 2 +- .github/workflows/build-release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index 4b05df6..e3e49f8 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -37,7 +37,7 @@ jobs: - run: dotnet build ./tools/PostBuildUtility/ -c Release - run: dotnet build -c Release - run: dotnet test -c Release --no-build - - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -o $GITHUB_WORKSPACE/artifacts + - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o $GITHUB_WORKSPACE/artifacts # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index ae64d91..9e385c1 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -61,7 +61,7 @@ jobs: - run: dotnet build ./tools/PostBuildUtility/ -c Release - run: dotnet build -c Release -p:Version=${{ inputs.tag }} - run: dotnet test -c Release --no-build - - run: dotnet pack -c Release --no-build -p:Version=${{ inputs.tag }} -o ./publish + - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -p:Version=${{ inputs.tag }} -o ./publish # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: From 044445425a326a22841e2757d9288e7ad43ed88e Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:02:54 +0900 Subject: [PATCH 4/7] ci: handle SymbolPackageFormat on build --- .github/workflows/build-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 9e385c1..7781ba2 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -61,7 +61,7 @@ jobs: - run: dotnet build ./tools/PostBuildUtility/ -c Release - run: dotnet build -c Release -p:Version=${{ inputs.tag }} - run: dotnet test -c Release --no-build - - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -p:Version=${{ inputs.tag }} -o ./publish + - run: dotnet pack -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o ./publish # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: From 224439ee85a7b3a06fb83e268887c3e4a493cd12 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:20:28 +0900 Subject: [PATCH 5/7] ci: publish symbol files --- .github/workflows/build-release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 7781ba2..0478d9a 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -85,6 +85,10 @@ jobs: if: ${{ !inputs.dry-run }} env: NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} + - run: dotnet nuget push "./publish/*.snupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] From 6b479de314e79be25a84da2bedd0af59be838778 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:56:58 +0900 Subject: [PATCH 6/7] ci: fix symbol generation options --- .github/workflows/build-debug.yaml | 2 +- .github/workflows/build-release.yaml | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index e3e49f8..c0923c4 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -37,7 +37,7 @@ jobs: - run: dotnet build ./tools/PostBuildUtility/ -c Release - run: dotnet build -c Release - run: dotnet test -c Release --no-build - - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o $GITHUB_WORKSPACE/artifacts + - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -o $GITHUB_WORKSPACE/artifacts # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 0478d9a..a1956d7 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -57,11 +57,11 @@ jobs: with: dotnet-version: | 6.0.x - # build and pack + # build and pack nuget (.nupkg and .symbols.nupkg will be created) - run: dotnet build ./tools/PostBuildUtility/ -c Release - run: dotnet build -c Release -p:Version=${{ inputs.tag }} - run: dotnet test -c Release --no-build - - run: dotnet pack -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o ./publish + - run: dotnet pack -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -o ./publish # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: @@ -85,10 +85,6 @@ jobs: if: ${{ !inputs.dry-run }} env: NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} - - run: dotnet nuget push "./publish/*.snupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" - if: ${{ !inputs.dry-run }} - env: - NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] From 88972fcd764adff578ecff51a107cf3618570cab Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 19:31:09 +0900 Subject: [PATCH 7/7] ci: add dedicated publish job gated on build and build-unity --- .github/workflows/build-release.yaml | 38 ++++++++++++++++++---------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index a1956d7..c02b7b9 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -31,7 +31,6 @@ jobs: needs: [update-packagejson] permissions: contents: read - id-token: write # required for NuGet Trusted Publish runs-on: ubuntu-24.04 timeout-minutes: 10 services: @@ -75,16 +74,6 @@ jobs: name: MessagePipe.Analyzer path: ./src/MessagePipe.Analyzer/bin/Release/netstandard2.0/MessagePipe.Analyzer.dll retention-days: 1 - # push nuget - - name: NuGet login (OIDC) - uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 - id: login - with: - user: ${{ secrets.NUGET_USER }} - - run: dotnet nuget push "./publish/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" - if: ${{ !inputs.dry-run }} - env: - NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] @@ -137,9 +126,32 @@ jobs: if-no-files-found: error retention-days: 1 + # publish + publish: + name: "Publish NuGet packages" + needs: [build-dotnet, build-unity] + permissions: + contents: read + id-token: write # required for NuGet Trusted Publish + runs-on: ubuntu-24.04 + timeout-minutes: 10 + steps: + - uses: Cysharp/Actions/.github/actions/setup-dotnet@main + - uses: Cysharp/Actions/.github/actions/download-artifact@main + # push nuget + - name: NuGet login (OIDC) + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - run: dotnet nuget push "./nuget/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} + # release create-release: - needs: [update-packagejson, build-dotnet, build-unity] + needs: [update-packagejson, publish] permissions: contents: write id-token: write # required for NuGet Trusted Publish @@ -160,7 +172,7 @@ jobs: cleanup: if: ${{ needs.update-packagejson.outputs.is-branch-created == 'true' }} - needs: [update-packagejson, build-unity] + needs: [update-packagejson, create-release] permissions: contents: write uses: Cysharp/Actions/.github/workflows/clean-packagejson-branch.yaml@main